The founders don't need to buy a $5,000 server before they can launch. They start on the cloud's free tier, and the bill only grows as real customers show up.
A Field Guide for Undergraduates
Cloud Computing Made Simple
For students who've heard the word "cloud" a hundred times and want to actually get it — no assumed background required.
The as-a-service ladder — Ch. 2. Fewer decisions to make as you climb, more convenience in exchange.
Before You Start
This book is written for undergrads with any background — whether you've already written code or you've never opened a terminal. There's no assumed prior knowledge. Where a term sounds scary, we'll explain it with something you already know (renting an apartment, ordering pizza, a school cafeteria) before we give you the "official" version.
Three little markers will show up throughout the book:
The one-sentence version, for when you just want the gist.
A common misunderstanding or mistake, so you don't repeat it.
For the curious — a pointer to the real, technical version of what you just read (useful once you're ready for internships, certifications, or a job).
Each chapter ends with a Quick Recap and a handful of Check Yourself questions — good for self-testing before a quiz.
Two running examples appear throughout the book so the ideas stay grounded instead of floating in the abstract:
- BrewBean — a small startup's coffee-ordering app. Low budget, one small team, spiky traffic (busy at 7–9am, dead at 2am).
- Riverside Water Authority — a public utility that bills households for water, manages employee payroll, tracks a truck fleet, and maintains a map of pipes underground. Higher stakes (real money, real citizens' data), steadier traffic, small IT team.
Whenever you see a "Back to BrewBean" or "Back to Riverside" note, that's the same running story showing the concept in action.
01What Is "The Cloud," Really?
Forget the fluffy icon. It's someone else's computer, rented by the minute — and five specific traits that make that renting genuinely different from renting anything else.
Here's the least mystical explanation possible: the cloud is just someone else's computer that you rent by the minute, over the internet, instead of buying and running your own. That's genuinely most of it. The interesting part is how that renting works.
An analogy: electricity, not a generator
A hundred years ago, if a factory wanted power, it built its own generator on-site — expensive, needed maintenance, and if you built it too small you'd run out of power on a busy day; too big, and you wasted money on unused capacity every quiet day.
Then the electrical grid arrived. Now the factory just plugs in and pays for what it uses, whenever it uses it. Cloud computing did the same thing to computers: instead of a company buying its own servers (the "generator"), it plugs into a provider's giant computer "grid" (AWS, Azure, Google Cloud) and pays only for what it actually uses.
The five things that make it "cloud"
There's an official definition from a US standards body (NIST) worth knowing — every course, certification, and interview will reference some form of it. In plain English:
- On-demand self-service — you click a button and get a new server. No phone call, no waiting for someone to walk to a server room.
- Broad network access — you reach it over the internet from anywhere, on any device.
- Resource pooling — the provider's giant pile of computers is shared across thousands of customers, like an apartment building sharing plumbing between units.
- Rapid elasticity — you scale up in minutes when busy and down when quiet; capacity feels basically unlimited.
- Measured service — everything is metered, like a water meter, and billed for exactly what you used.
If a technology doesn't let you self-serve, scale elastically, and pay only for what you use — it might be "hosted," but it isn't really "cloud."
Cloud vs. building it yourself
| Building it yourself ("on-prem") | Cloud | |
|---|---|---|
| Money upfront | A lot — buy the servers first | Almost none — pay as you go |
| Time to get started | Weeks or months | Minutes |
| Scaling for a busy day | Buy hardware in advance, hoping you guessed right | Scales up automatically when traffic arrives |
| Who fixes broken hardware | Your own team | The cloud provider |
| Quiet day | You paid for capacity you're not using | You pay less, automatically |
When building it yourself still makes sense: computing needs so steady you'd use 100% of a server 24/7 for years, or strict legal rules that hardware must sit inside your own building. For almost every student project and startup, cloud wins.
The money side: Capex vs. Opex
This sounds like an accounting term you can ignore — it explains why companies love the cloud so much.
- Capex (Capital Expenditure) — buying a big asset upfront, like buying a car outright. It sits on the books as something you own.
- Opex (Operating Expenditure) — an ongoing bill, like a ride-hailing fare or a Netflix subscription. You never own the car; you just pay each time you use it.
Cloud shifts spending from capex (buy servers) to opex (pay a monthly bill) — a big deal for a small startup that doesn't have to raise cash upfront just to get started.
Government accounting sometimes has separate approval processes for "capital budget" versus "operating budget" — so even though cloud is opex-friendly for a startup, a public agency has to navigate its own budget rules before adopting it.
Quick Recap
- Cloud = renting someone else's computers, over the internet, paid for by actual usage.
- Five defining traits: on-demand self-service, network access, shared pooled resources, elastic scaling, and metered billing.
- Cloud trades upfront cost (capex) for ongoing cost (opex) — usually a win for anyone without a pile of cash sitting around.
Check Yourself
- Name the five traits that make something genuinely "cloud" rather than just "a server I'm renting."
- Why doesn't a factory build its own power generator anymore — and how is that the same reason companies don't build their own server rooms?
- Give one real-world situation where owning your own hardware (on-prem) still beats the cloud.
02The "As-a-Service" Menu
IaaS, PaaS, SaaS, FaaS — four letters that all answer one question: how much of the technical work does the provider do for you?
The pizza analogy
Imagine you want pizza tonight. You have four options, each handing off a different amount of the work:
| Option | What you do | Cloud equivalent |
|---|---|---|
| Make it completely from scratch | Buy flour, make dough, buy an oven, bake it | On-premises |
| Ingredients delivered, bake yourself | Assemble, bake, clean up | IaaS |
| Take-and-bake pizza | Just put it in the oven | PaaS |
| Order delivery, it arrives | Eat it | SaaS |
A fifth, newer option doesn't fit neatly on the pizza scale: FaaS (Function as a Service) — a vending machine that bakes you exactly one slice, on demand, the second you press the button, and disappears again the moment you're done. You're billed only for that.
What each one actually is
- IaaS — raw computers, storage, networking; you choose the OS and patch it. Maximum control, maximum responsibility. Amazon EC2, Google Compute Engine, Azure VMs.
- PaaS — the provider handles the OS and runtime; you hand over your app. Google App Engine, Azure App Service, and — importantly here — Google Cloud Run.
- FaaS — you write one small function; the provider does everything else, including making it disappear (and stop costing money) when nobody's using it. AWS Lambda, Azure Functions, Cloud Run functions.
- SaaS — a complete, ready-to-use application. No infrastructure decisions at all. Gmail, Microsoft 365, Salesforce.
As you move IaaS → PaaS → FaaS → SaaS, you give up control but gain convenience. There's no "best" one — it depends on how much you want to manage yourself.
Two extra terms worth knowing
- CaaS (Containers as a Service) — a managed way to run containers without operating the scheduling machinery. Sits between IaaS and PaaS.
- DBaaS (Database as a Service) — a managed database. Often the very first "as-a-service" thing any small team adopts, because running your own database well is genuinely hard.
Their app runs on Cloud Run — PaaS-ish/CaaS. They ship a packaged app; Google handles the server underneath entirely.
Their billing database is a good fit for DBaaS — nobody on a small water-utility IT team wants to be the one manually patching database software at 11pm.
The companion technical notes (01-cloud-fundamentals-and-service-models.md) include a full stack diagram showing exactly which layer you manage at each service model.
Quick Recap
- IaaS, PaaS, FaaS, and SaaS are a sliding scale of "how much do I manage vs. the provider."
- More convenience usually means less control, and vice versa.
- Pick based on how much your team actually wants to operate, not what sounds most "advanced."
Check Yourself
- Where does "ordering delivery pizza" sit on the as-a-service scale?
- What's the key difference between PaaS and FaaS when nobody's using your app right now?
- Give an example of a task that's a good fit for SaaS instead of building something yourself.
03Meet the Big Three Cloud Providers
AWS, Azure, and Google Cloud — three supermarket chains, each with a different personality.
Three companies dominate cloud computing: Amazon (AWS), Microsoft (Azure), and Google (Google Cloud / GCP). All sell "groceries," all are reliable, but each has a different specialty.
| AWS | Azure | Google Cloud | |
|---|---|---|---|
| Personality | Biggest, broadest catalog | Enterprise-friendly, Microsoft-native | Data & AI specialist, simple pricing |
| Roughly, market share | Largest (~30%) | Second (~24%), growing fast | Third (~12%), growing fastest |
| Best known for | Breadth — hundreds of services | Windows, Office 365, Active Directory integration | BigQuery, Kubernetes (Google invented it), AI |
| Good default if… | You want maximum choice, largest hiring pool | Your org already runs on Microsoft software | You want simple pricing and strong data tools |
None of this means one is "the best" — the right choice depends on your team, your existing tools, and what you're building.
A quick word on "Vertex AI," "Bedrock," "Azure AI Foundry"
Each provider also has its own AI platform for building AI-powered features. We won't go deep into AI here — that's a whole additional topic in this course — but know these names refer to "which company's AI toolbox," not different concepts.
A small, cost-conscious team building a simple app is a classic case for Google Cloud — simple pricing, generous free usage, less to configure.
A government body often has to formally document that it considered multiple vendors before choosing one — this comparison table is exactly the kind of artifact that documentation would include.
Don't assume "biggest market share" means "best choice for me." AWS being #1 doesn't make it automatically right for a small team that would benefit more from GCP's simpler pricing, or a Microsoft-heavy company that would benefit from Azure's tight Office integration.
Quick Recap
- AWS, Azure, and GCP are the three dominant cloud providers, each with a different specialty.
- The "best" one depends on your team's existing skills/tools and what you're building — not market share alone.
Check Yourself
- Which provider would you lean toward if your company already runs entirely on Microsoft Office and Windows Server?
- Which provider is most associated with Kubernetes and BigQuery?
- Why might a government agency document a multi-provider comparison even if they only intended to pick one?
04Renting Computers the Smart Way
Virtual machines, containers, and serverless — a whole house, an apartment unit, or a hotel room billed by the hour.
The spectrum: VMs → Containers → Serverless
Imagine three ways to get a place to cook:
- Virtual Machine = renting a whole house. Full control over the plumbing, walls, everything — and you're responsible for maintaining all of it, paying rent whether you're home or not.
- Container = renting a unit in an apartment building. Your own self-contained space, sharing the building's foundation and utilities with other tenants — cheaper and faster to move into than a whole house.
- Serverless = paying for a hotel room only for the hours you sleep there. The moment you leave, the meter stops. On a quiet night, a room isn't even prepared until you check in.
| Virtual Machines | Containers | Serverless | |
|---|---|---|---|
| Startup time | Minutes | Seconds | Milliseconds–seconds |
| Who manages the OS | You | Shared, but you configure a lot | Nobody — fully hidden |
| Cost when idle | You still pay | Often still pay something | Usually $0 |
| Best for | Full control, specialized hardware, legacy software | Portable apps, standardized tooling | Unpredictable traffic, small teams |
Kubernetes, a name you'll hear constantly, is basically the "building manager" software that looks after a large number of containers spread across many physical machines — deciding which container goes where, restarting crashed ones, and so on. Genuinely powerful, but also a lot of machinery to learn and operate.
Autoscaling: adding more staff when the queue gets long
Autoscaling means automatically adding computing capacity when demand increases, and removing it when demand drops — like a coffee shop opening a second register the moment the line gets long, and closing it again once things quiet down. Serverless platforms can scale all the way down to zero registers open (and zero cost) at 3am.
Cold starts: the barista who's gone home
A cold start is the small delay the first time a "new" computing environment has to wake up before it can serve you — like walking into a café at an odd hour and waiting for the barista to come out and turn the machine on, versus 8am when everything's already warmed up.
You can avoid this by keeping at least one "barista" always ready (a minimum instance count) — worth doing where that first delay would be a bad experience (a payment button), not worth doing for something rarely visited (an internal admin page used twice a month).
Choosing the right option
- Spiky or mostly idle traffic? → Serverless. You'll barely pay when it's quiet.
- Steady, heavy traffic all day? → A regular server or right-sized container setup often becomes cheaper than serverless.
- Need specific hardware (GPU) or full OS control? → A Virtual Machine.
- A small, one-off task triggered by an event? → Serverless functions (FaaS) are the simplest fit.
Their ordering app is busy at breakfast and dead at 2am — a textbook case for serverless. They scale down to zero instances overnight, so there's genuinely nothing to pay for while nobody's ordering coffee.
Their citizen billing portal has more predictable traffic and higher stakes if it's slow — a good candidate for keeping at least one instance always warm, even at a small extra cost.
The technical notes (03-cloud-compute-and-serverless.md) include an actual worked example of the CPU, memory, concurrency, and min/max instance settings for a real Cloud Run deployment.
Quick Recap
- VMs = a whole rented house; containers = an apartment unit; serverless = paying only for the hours you use a hotel room.
- Autoscaling adds/removes capacity automatically based on demand.
- A cold start is the short delay when a "sleeping" serverless environment wakes up — mitigate it with a minimum warm instance count if that delay matters.
Check Yourself
- Match VMs, containers, and serverless to their housing analogy.
- Why would a mostly-idle app almost always be cheaper on serverless than a VM running 24/7?
- Give one workload where you'd pay extra to avoid cold starts, and one where you'd accept them.
05Where Does Your Data Live?
Warehouses of labeled boxes, filing cabinets bolted to your desk, disciplined spreadsheets, and flexible folders of documents.
Three kinds of storage
- Object storage = a warehouse of labeled boxes. Drop a whole file in with a label, fetch it back by that label; you can't edit a piece without replacing the whole box. Best for photos, videos, backups. Amazon S3, Google Cloud Storage, Azure Blob Storage.
- Block storage = your personal filing cabinet, bolted to your desk. Behaves like a hard drive attached to one machine — fast, but tied to it. What database engines typically sit on. Amazon EBS, Google Persistent Disk.
- File storage = a shared office filing cabinet everyone can open. Multiple computers open and use it at once, like a shared network drive.
If you're wondering "should this be object storage?" ask: is this a whole file I mostly just save and later fetch, and might many different servers need to read it? If yes, object storage is almost always the right default.
Storage classes let you mark old, rarely-accessed files as "cold" storage — cheaper to keep, a little pricier to retrieve — like moving old paperwork into a storage unit across town. Riverside, which must keep years of billing records it rarely looks at, saves real money doing this.
Databases: SQL vs. NoSQL
- Relational (SQL) databases are like a very disciplined spreadsheet: strict columns, clear rules, strong guarantees that a transaction either fully happens or doesn't (critical for money). Amazon RDS, Google Cloud SQL, Azure Database.
- NoSQL databases are more like a flexible folder of documents: each entry can look different, no rigid up-front structure, built for massive scale of simple lookups. MongoDB-style stores, DynamoDB, Firestore.
| Ask yourself… | Lean SQL | Lean NoSQL |
|---|---|---|
| Lots of relationships between data types? | Yes | No |
| Need strict money-transaction guarantees? | Yes | Sometimes possible, but SQL is the classic safe choice |
| Data's shape still evolving a lot? | — | Yes, flexibility helps |
| Mostly blazing-fast simple lookups at huge scale? | — | Yes |
"NoSQL" doesn't mean "better" or "more modern" — it means "different trade-offs." A billing system, with real money on the line, almost always wants a SQL database's strict guarantees, not NoSQL's flexibility.
Data warehouses: the big reporting library
A data warehouse (Google BigQuery, Amazon Redshift) is a separate database built for big, heavy reporting questions, instead of the fast, small day-to-day questions a regular app database handles. Most systems keep their everyday database separate from their reporting warehouse, so heavy reports never slow down the live app.
Backups and "what if something goes wrong"
- RPO (Recovery Point Objective): how much data you can afford to lose, measured in time. "1 hour RPO" means, worst case, you'd lose up to an hour of transactions.
- RTO (Recovery Time Objective): how much downtime you can afford. "30-minute RTO" means you need to be back up within half an hour.
Think insurance policy: the more protection you want, the more it costs to maintain — usually by keeping a live, ready-to-go backup running somewhere else, rather than just an occasional snapshot.
A nightly backup of the ordering database is probably enough — losing a few hours of orders in a worst case is painful but survivable for a small startup.
The billing database deserves a much tighter RPO/RTO — frequent backups, a ready standby copy, and an actually-tested restore drill, because losing hours of billing/payment records affects real households and public trust.
The technical notes (04-cloud-storage-and-databases.md) cover specific DR patterns — backup-and-restore, pilot light, warm standby, active-active — ranked from cheapest to most robust.
Quick Recap
- Object storage = labeled boxes; block storage = a filing cabinet bolted to one desk; file storage = a shared office cabinet.
- SQL enforces strict structure and strong guarantees (good for money); NoSQL trades some structure for flexibility and raw scale.
- A data warehouse is a separate database for heavy reporting, kept apart from your everyday app database.
- RPO = tolerable data loss; RTO = tolerable downtime.
Check Yourself
- Which storage type would you use for thousands of uploaded profile photos, and why?
- Why would a billing system almost always prefer SQL over NoSQL?
- Explain RPO and RTO using an analogy that isn't insurance.
06How the Cloud Talks to the World
Private neighborhoods, restaurant hosts, local franchises, phonebooks, and checking everyone's ID at every door.
VPCs: your own private neighborhood
A VPC (Virtual Private Cloud) is your own private, isolated slice of network inside the provider's cloud — like renting a gated neighborhood with your own private streets, even though the whole city is shared by many other "neighborhoods." You decide which houses (servers/databases) get a street-facing address (public) versus sit tucked away at the back (private).
Your database should almost never have a public, internet-facing address — it belongs in the tucked-away part of the neighborhood, reachable only from your app.
Load balancers: the restaurant host
A load balancer is like the host who greets you at a busy restaurant and seats you at whichever table/waiter is free, instead of everyone crowding one waiter while others stand idle. It also notices if a "waiter" (server) has gone missing and quietly stops sending guests their way.
CDNs: local franchise stores instead of one central warehouse
A CDN copies your unchanging content (images, videos, style files) to many small "storefronts" around the world, physically closer to each visitor — like a coffee chain opening a local branch in every city instead of making every customer travel to one central roastery.
DNS: the internet's phonebook
DNS translates a friendly name (brewbean.com) into the numeric address a computer needs — exactly like looking up a name in a phonebook. You almost never think about it until it breaks, at which point everything seems "down" even though the servers are fine.
Zero trust: checking everyone's ID, every single time
Old-school security worked like an office with a strong front door: once past security, you can wander any floor freely — "inside the building" implicitly meant "trusted." Zero trust throws that out: every door inside checks your ID again, every time, regardless of the front entrance.
This matters for Riverside: the public citizen-facing billing website being "inside the same network" as the internal HR/payroll system should not mean the billing website can freely reach payroll data.
A small app behind a CDN (for images/menus) and a load balancer, all inside one private neighborhood (VPC), is a completely standard, simple setup.
Given the sensitivity of citizen and payroll data, the "every door checks your ID" mindset genuinely matters — nobody should assume a request is safe just because it came from inside the network.
Quick Recap
- A VPC is your own private, isolated network neighborhood inside the cloud.
- A load balancer spreads traffic evenly, like a restaurant host.
- A CDN puts copies of unchanging content physically closer to each visitor.
- DNS is the internet's phonebook.
- Zero trust means checking identity at every internal door, not just the front entrance.
Check Yourself
- Why should a production database almost never have a public IP address?
- Explain why a CDN makes a website feel faster for a visitor across the world.
- What's the key difference between "castle-and-moat" security and "zero trust"?
07Keeping the Cloud Safe
Badge systems, locked diaries, safes instead of sticky notes, and safety inspections for data.
IAM: the office badge system
IAM (Identity and Access Management) answers two questions for every action: who are you, and what are you allowed to do? Like an office badge: it proves who you are (authentication), and it's programmed to open only the doors you actually need (authorization) — not every door in the building.
The single most important rule is least privilege: give people (and apps) only the access they actually need, nothing more "just in case" — the cloud-security equivalent of not handing every new employee a master key on day one.
The most common real-world cloud security failure isn't a genius hacker — it's someone accidentally leaving a "master key" (a long-lived password or access key) somewhere public, like posting it on GitHub. Short-lived, automatically-expiring credentials are much safer than permanent ones.
Encryption: locking the diary and locking the mail truck
- Encryption at rest protects data sitting still on a disk — a locked diary, so a stolen notebook can't be read without the key.
- Encryption in transit protects data while moving between two places — a sealed courier bag, instead of an open postcard.
Modern platforms encrypt data at rest by default — but it's still your job to make sure data is also encrypted in transit everywhere, including the easily-forgotten app-to-database hop.
Secrets management: use a safe, not a sticky note
A "secret" is any sensitive value your app needs — a database password, an API key. The classic beginner mistake is hardcoding these directly into code (which then gets saved to GitHub for the world to see). A "secrets manager" is a proper safe with an access log, instead of a sticky note on your monitor.
Compliance: safety inspections for data
You'll hear acronyms like ISO 27001 and SOC 2 — basically independent safety inspections that prove good security practices, like a restaurant's health inspection certificate. Importantly: a cloud provider being certified does not automatically make your app secure or compliant — you still have to lock your own doors correctly on top of a secure building.
In the Philippines, the Data Privacy Act of 2012 governs how personal data must be handled, enforced by the National Privacy Commission — directly relevant to any system storing citizens' personal information.
A simple pre-launch security checklist
- No passwords or API keys typed directly into code.
- Every important human account has multi-factor authentication (MFA) on.
- Databases are not directly reachable from the public internet.
- Everything is encrypted both at rest and in transit.
- Backups exist, and someone has actually tested restoring from one.
- There's a written plan for "what do we do, and who do we tell, if data leaks."
A small team should still turn on MFA, avoid hardcoding secrets, and keep the database private — good habits cost nothing and prevent the most common mistakes.
Because it holds citizens' personal and financial data, it needs everything above plus explicit Data Privacy Act compliance and a documented breach-notification plan before going live.
Quick Recap
- IAM = an office badge system; give the least access necessary.
- Encrypt data at rest and in transit, everywhere — including the app-to-database hop.
- Store secrets in a proper secrets manager, never in code.
- Compliance certifications certify the provider's infrastructure, not automatically your app.
Check Yourself
- Explain "least privilege" using the office badge analogy.
- What's the difference between encryption at rest and in transit?
- Why doesn't a provider's ISO 27001 certification automatically make your app compliant?
08Watching Your Wallet
Electricity bills, storage units, roaming charges, gym memberships, and standby airline tickets.
What actually drives the bill
| Cost driver | Everyday analogy |
|---|---|
| Compute (servers running) | Your electricity bill — the meter runs while things are "on" |
| Storage (data sitting around) | Rent for a storage unit — small per month, adds up over years |
| Data leaving the cloud (egress) | Roaming charges — data coming in is usually free, leaving often isn't |
| Idle/forgotten resources | Leaving the lights and AC on in an empty room |
The single most common "surprise cloud bill" story is simply forgetting to turn something off. Setting a budget alert is a five-minute task that prevents most of these stories.
Pricing models: walk-in rate vs. gym membership vs. standby ticket
- On-demand: like a walk-in gym day-pass — most flexible, most expensive per visit.
- Reserved/committed: like an annual gym membership — commit in advance for a real discount, but locked in even on months you don't go.
- Spot/preemptible: like a heavily discounted standby airline ticket — very cheap, but the airline can bump you with short notice. Great for interruptible workloads, terrible for anything that must never stop mid-task.
Don't commit to the "annual membership" pricing until you know your steady real usage — committing too early is the single most common cloud cost mistake for small teams.
Tagging: labeling every receipt
Tagging means attaching a small label (project: brewbean-app) to every cloud resource, so at month's end you can see which project or department is responsible for which slice of the bill — like labeling every receipt so accounting knows which budget to charge.
FinOps: a household budgeting habit
FinOps (Finance + DevOps) is just the practice of regularly reviewing and adjusting your cloud spending — like checking your bank statement monthly instead of once a year in a panic. For a small team: a monthly reminder to review the bill, a budget alert, and the discipline to delete unused things.
Start on pure pay-as-you-go pricing; only consider a committed/reserved discount once they have several real months of stable traffic data to base the decision on.
As a public body spending public money, tagging every resource by department/module (billing, HR, fleet, GIS) isn't optional — it's exactly the transparency an auditor will expect.
Quick Recap
- The biggest cost drivers are compute, storage, and data leaving the cloud (egress).
- On-demand = flexible but pricier; reserved/committed = cheaper but locked in; spot = very cheap but interruptible.
- Tag every resource so you know who/what is responsible for each part of the bill.
- FinOps is just the habit of regularly reviewing and adjusting cloud spending.
Check Yourself
- Why is data leaving the cloud (egress) often more expensive than data coming in?
- When should a team consider switching from on-demand to a reserved/committed discount?
- Why does tagging matter more once multiple teams share one cloud account?
09Building Apps the Cloud-Native Way
Good hygiene rules, one big kitchen vs. a food court, and a notice board instead of a phone call.
The 12-Factor App: good hygiene rules
The 12-Factor App is a well-known set of good habits for cloud-friendly software. A few matter enormously:
- Keep configuration out of your code. Passwords, keys, and settings that differ between environments should live outside the code, so the same packaged app runs anywhere just by changing its settings.
- Treat your running app as disposable. Any single copy should be killable and instantly replaceable without anyone noticing — put shared state in a database or cache, not in the app's own memory. This is exactly what makes autoscaling safe.
- Send logs somewhere else. Let the platform collect and centralize logs instead of digging through files on individual machines.
Monolith vs. microservices: one big kitchen vs. a food court
- A monolith is one app doing everything — one big kitchen making every dish. Simple to run, but everything scales and deploys together, whether it needs to or not.
- Microservices split the app into many small, independently-run pieces — a food court where each stall specializes and scales independently. Powerful for large teams, but more coordination and more things that can individually break.
The middle ground — a "modular monolith": organize your one app into clean, separate internal sections without actually splitting into separate deployed services yet. Most of the organizational clarity of microservices, without the operational overhead.
"We should use microservices because it's the modern way" is one of the most common and avoidable over-engineering mistakes in cloud architecture. Most small and even medium-sized systems are better off starting as a modular monolith.
Event-driven architecture: a notice board instead of a phone call
Normally, one part of a system calls another directly and waits for an answer — a phone call. In an event-driven design, a part posts a notice ("MeterReadingRecorded!") to a shared board, and any interested part reacts whenever it gets around to it — without the first part needing to know or care who's watching.
A technician records a meter reading → posts a notice → billing generates an invoice → notifications emails the citizen → analytics updates a report. None of these needed to directly know about each other — they all just watch the same board.
API gateways and service mesh
An API gateway is a single front desk that all requests pass through first — checking IDs, handling rate limits, routing each visitor to the right department. A service mesh is extra infrastructure that automatically handles secure communication and monitoring between many microservices — genuinely useful, but only once you have a food court with dozens of stalls that would otherwise each build this plumbing themselves.
A single, well-organized app (a "modular monolith" internally) is the right size — no microservices, no service mesh needed yet.
Despite having four distinct areas (billing, HR, fleet, GIS), the smart starting move is one well-organized modular monolith — splitting into true microservices only once a specific reason shows up, like the public GIS map needing to scale completely independently from internal HR.
Quick Recap
- 12-Factor habits: keep config outside your code, treat instances as disposable, centralize your logs.
- Monolith = one kitchen; microservices = a food court; modular monolith = a clean middle ground most systems should start with.
- Event-driven architecture lets parts of a system react to "notices" instead of calling each other directly.
- An API gateway is a shared front desk; a service mesh is extra plumbing worth it only once you have many independent services.
Check Yourself
- Why does "treat your app as disposable" matter for autoscaling to work safely?
- What's a "modular monolith," and why is it often the right starting point?
- Using the meter-reading example, explain why event-driven design keeps billing and notifications independent.
10Bringing It All Together
One table, one story, one glossary — and where to go from here.
| Chapter | Big idea, in one line |
|---|---|
| 01 · What is the cloud? | Renting someone else's computers, over the internet, paid for by actual usage. |
| 02 · As-a-Service menu | IaaS/PaaS/FaaS/SaaS = a sliding scale of who manages what. |
| 03 · Meet the Big Three | AWS, Azure, and GCP are the three dominant providers, each with a specialty. |
| 04 · Renting computers | VMs, containers, and serverless trade control for convenience. |
| 05 · Where data lives | Object/block/file storage, SQL vs. NoSQL, warehouses, and RPO/RTO. |
| 06 · How the cloud talks | VPCs, load balancers, CDNs, DNS, and zero trust move and protect traffic. |
| 07 · Keeping it safe | IAM, encryption, secrets, and compliance layer together to protect data. |
| 08 · Watching your wallet | Compute, storage, and egress drive cost; tagging and FinOps keep it in check. |
| 09 · Building cloud-native | 12-Factor habits, modular monoliths, and event-driven design shape how you build. |
A short story pulling it all together
Imagine BrewBean, six months after launch, has grown into a real small business with thousands of daily orders. Here's how the ideas from this book show up in one ordinary morning:
A customer opens the app (Ch. 6: DNS resolves the name, a load balancer picks a healthy server, a CDN serves images from a nearby copy). They log in (Ch. 7: password checked against an encrypted database, connection protected the whole way). They place an order, and because it's 8am rush hour, more app instances automatically spin up (Ch. 4: autoscaling on serverless containers). The order is saved to a SQL database, because a payment must not be "half-recorded" (Ch. 5). Placing the order posts a notice that a background service picks up to email a receipt, without the main app waiting around (Ch. 9: event-driven design). At month's end, the founder checks a dashboard showing exactly how much last month cost, broken down by tag (Ch. 8), and decides whether it's time to consider a committed-use discount now that there's real usage data.
None of these ideas exist in isolation — real systems are always a combination working together.
A short glossary
- API
- A defined way for two pieces of software to talk to each other.
- Autoscaling
- Automatically adding/removing computing capacity to match demand.
- Cold start
- The short delay when a "sleeping" serverless environment wakes up to serve a request.
- Container
- A lightweight, portable package of an app and everything it needs, sharing the host machine's core with other containers.
- DNS
- The system that translates human-friendly names into computer addresses.
- Egress
- Data leaving a cloud network, often the cost that catches people by surprise.
- IAM
- Identity and Access Management: who you are, and what you're allowed to do.
- Kubernetes
- Software that manages large numbers of containers across many machines.
- Load balancer
- Spreads incoming traffic evenly across multiple servers.
- Microservices
- An app split into many small, independently deployed pieces.
- On-prem
- Running your own hardware in your own building, instead of using the cloud.
- Serverless
- Computing where the provider handles everything below your code, including scaling to zero cost when idle.
- VPC
- Your own private, isolated network inside a cloud provider's infrastructure.
Where to go next
This book intentionally left out most exact numbers, command syntax, and pricing details — those change constantly and are better looked up fresh when needed. Once these ideas feel comfortable:
- Get hands-on. Every major provider has a free tier — the fastest way to make these ideas click is to deploy something small yourself.
- Read the official docs for precision. The AWS, Google Cloud, and Azure Architecture Centers, and the official NIST definition of cloud computing, are free and authoritative.
- Want the deeper, technical version of every chapter — exact configuration flags, exact percentages, real worked examples? Ask your instructor about the companion technical reference notes this book was distilled from.
You now have the mental map. The rest is practice.